openstack/openstack-manuals
Code Issues Proposed changes
07d938a102
openstack-manuals/doc/install-guide/section_basics-security.xml
Joseph Robinson e9fd400193 Reducing install guide build warnings 
Limiting the number of words per line in the install
guide and common content to reduce install
guide build  warnings concerning overflow from about 22 to 16

Change-Id: Iac4c5d429e2e35148e98885c180990f90cf9ca15
backport: juno
Closes-bug: #1273143
2014-11-19 10:35:28 +10:00

134 lines
5.7 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="basics-security">
<?dbhtml stop-chunking?>
<title>Security</title>
<para>OpenStack services support various security methods
including password, policy, and encryption. Additionally,
supporting services including the database server and
message broker support at least password security.</para>
<para>To ease the installation process, this guide only
covers password security where applicable. You can create
secure passwords manually, generate them using a tool such as
<link xlink:href="http://sourceforge.net/projects/pwgen/">pwgen</link>,
or by running the following command:</para>
<screen><prompt>$</prompt> <userinput>openssl rand -hex 10</userinput></screen>
<para>For OpenStack services, this guide uses
<replaceable>SERVICE_PASS</replaceable> to reference
service account passwords and
<replaceable>SERVICE_DBPASS</replaceable> to reference
database passwords.</para>
<para>The following table provides a list of services that require
passwords and their associated references in the guide:
<table rules="all">
<caption>Passwords</caption>
<thead>
<tr>
<th>Password name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>Database password (no variable used)</td>
<td>Root password for the database</td>
</tr>
<tr>
<td><literal><replaceable>RABBIT_PASS</replaceable></literal></td>
<td>Password of user guest of RabbitMQ</td>
</tr>
<tr>
<td><literal><replaceable>KEYSTONE_DBPASS</replaceable></literal></td>
<td>Database password of Identity service</td>
</tr>
<tr>
<td><literal><replaceable>DEMO_PASS</replaceable></literal></td>
<td>Password of user <literal>demo</literal></td>
</tr>
<tr>
<td><literal><replaceable>ADMIN_PASS</replaceable></literal></td>
<td>Password of user <literal>admin</literal></td>
</tr>
<tr>
<td><literal><replaceable>GLANCE_DBPASS</replaceable></literal></td>
<td>Database password for Image Service</td>
</tr>
<tr>
<td><literal><replaceable>GLANCE_PASS</replaceable></literal></td>
<td>Password of Image Service user <literal>glance</literal></td>
</tr>
<tr>
<td><literal><replaceable>NOVA_DBPASS</replaceable></literal></td>
<td>Database password for Compute service</td>
</tr>
<tr>
<td><literal><replaceable>NOVA_PASS</replaceable></literal></td>
<td>Password of Compute service user <literal>nova</literal></td>
</tr>
<tr>
<td><literal><replaceable>DASH_DBPASS</replaceable></literal></td>
<td>Database password for the dashboard</td>
</tr>
<tr>
<td><literal><replaceable>CINDER_DBPASS</replaceable></literal></td>
<td>Database password for the Block Storage service</td>
</tr>
<tr>
<td><literal><replaceable>CINDER_PASS</replaceable></literal></td>
<td>Password of Block Storage service user <literal>cinder</literal></td>
</tr>
<tr>
<td><literal><replaceable>NEUTRON_DBPASS</replaceable></literal></td>
<td>Database password for the Networking service</td>
</tr>
<tr>
<td><literal><replaceable>NEUTRON_PASS</replaceable></literal></td>
<td>Password of Networking service user <literal>neutron</literal></td>
</tr>
<tr>
<td><literal><replaceable>HEAT_DBPASS</replaceable></literal></td>
<td>Database password for the Orchestration service</td>
</tr>
<tr>
<td><literal><replaceable>HEAT_PASS</replaceable></literal></td>
<td>Password of Orchestration service user <literal>heat</literal></td>
</tr>
<tr>
<td><literal><replaceable>CEILOMETER_DBPASS</replaceable></literal></td>
<td>Database password for the Telemetry service</td>
</tr>
<tr>
<td><literal><replaceable>CEILOMETER_PASS</replaceable></literal></td>
<td>Password of Telemetry service user <literal>ceilometer</literal></td>
</tr>
<tr>
<td><literal><replaceable>TROVE_DBPASS</replaceable></literal></td>
<td>Database password of Database service</td>
</tr>
<tr>
<td><literal><replaceable>TROVE_PASS</replaceable></literal></td>
<td>Password of Database Service user <literal>trove</literal></td>
</tr>
</tbody>
</table>
</para>
<para>OpenStack and supporting services require administrative
privileges during installation and operation. In some cases,
services perform modifications to the host that can interfere
with deployment automation tools such as Ansible, Chef, and
Puppet. For example, some OpenStack services add a root
wrapper to <literal>sudo</literal> that can interfere with
security policies. See the
<link xlink:href="http://docs.openstack.org/admin-guide-cloud/content/root-wrap-reference.html">Cloud Administrator Guide</link>
for more information. Also, the Networking service assumes
default values for kernel network parameters and modifies
firewall rules. To avoid most issues during your initial
installation, we recommend using a stock deployment of a
supported distribution on your hosts. However, if you choose
to automate deployment of your hosts, review the configuration
and policies applied to them before proceeding further.</para>
</section>
View Git Blame Copy Permalink